Transfer of valuable information between a secure module and another module

ABSTRACT

The present invention relates to system, apparatus and method for communicating valuable data from a portable module to another module via an electronic device. More specifically, the disclosed system, apparatus and method are useful for enabling a user to fill a portable module with a cash equivalent and to spend the cash equivalent at a variety of locations. The disclosed system incorporates an encryption/decryption method.

This application is a Divisional of application Ser. No. 08/594,975filed on Jan. 31, 1996.

CROSS REFERENCE TO OTHER APPLICATIONS

The following applications of common assignee contains related subjectmatter and is hereby incorporated by reference:

Ser. No. UNKNOWN, filed Jan. 31, 1996, entitled METHOD, APPARATUS,SYSTEM AND FIRMWARE FOR SECURE TRANSACTIONS; and

Ser. No. UNKNOWN, filed Jan. 31, 1996, entitled METHOD, APPARATUS ANDSYSTEM FOR TRANSFERRING UNITS OF VALUE.

BACKGROUND OF THE INVENTION

1. Technical Field of the Invention

The present invention relates to a method and system for transferringvaluable information securely between a secure module and anothermodule. More particularly, the present invention relates to transferringunits of value between a microprocessor based secure module and anothermodule used for carrying a monetary equivalent.

2. Description of Related Art

In the past the preferred means for paying for an item was cash. As oursociety has become more advanced, credit cards have become an acceptedway to pay for merchandise or services. The payment is not a payment tothe merchant, but instead is a credit given by a bank to the user thatthe merchant accepts as payment. The merchant collects money from thebank based on the credit. As time goes on, cash is used less and less,and money transfers between parties are becoming purely electronic.

Present credit cards have magnetic strips to identify the owner of thecard and the credit provider. Some credit cards have electroniccircuitry installed that identifies the credit card owner and the creditor service provider (the bank).

The magnetic strips installed in present credit cards do not enable thecard to be used as cash. That is the modern credit card does not allowthe consumer to buy something with the credit card and the merchant toreceive cash at the time of the transaction. Instead, when the consumerbuys something on credit, the merchant must later request that the bankpay for the item that the consumer bought. The bank then bills theconsumer for the item that was bought.

Thus, there is a need for an electronic system that allows a consumer tofill an electronic module with a cash equivalent in the same way aconsumer fills his wallet with cash. When the consumer buys a product orservice from a merchant, the consumer's module can be debited and themerchant's cash drawer can be credited without any further transactionswith a bank or service provider.

SUMMARY OF THE INVENTION

The present invention is an apparatus, system and method forcommunicating a cash equivalent electronically to and from a portablemodule. The portable module can be used as a cash equivalent when buyingproducts and services in the market place.

The present invention comprises a portable module that can communicateto a secure module via a microprocessor based device. The portablemodule can be carried by a consumer, filled with electronic money at anadd-money station, and be debited by a merchant when a product orservice is purchased by the consumer. As a result of a purchase, themerchant's cash drawer will indicate an increase in cash value.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete understanding of the method and apparatus of the presentinvention may be had by reference to the following Detailed Descriptionwhen taken in conjunction with the accompanying Drawings wherein:

FIG. 1 depicts an exemplary system for transferring valuable informationbetween a module and a secure device;

FIG. 2 is a block diagram of an embodiment of a portable module;

FIG. 3 is a block diagram of an embodiment of a microprocessor basedmodule;

FIG. 4 is an exemplary technique for transferring valuable data securelyinto a portable module;

FIG. 5 is an exemplary technique for transferring valuable data securelyout of a portable module;

FIG. 6 is an exemplary organization of the software and firmware withina secure microprocessor based device; and

FIG. 7 is an exemplary configuration of software and firmware within asecure microprocessor based device.

DETAILED DESCRIPTION OF A PRESENTLY PREFERRED EXEMPLARY EMBODIMENT

FIG. 1 depicts a block diagram of an exemplary system 100 fortransferring valuable information to and from a portable module. Aportable module 102, which will be described in more detail later,communicates to a microprocessor based device 104. The portable module102 may contain information that represents units of exchange or acurrency equivalent. The microprocessor based device 104 can be any ofan unlimited number of devices. For example, the microprocessor baseddevice 104 could be a personal computer, an add-a-fare machine at atrain or bus station (similar to those in today's District of Columbiametro stations), a turn style, a toll booth, a bank's terminal, a rideat a carnival, a washing machine at a Laundromat, a locking device, amail metering device or any device that controls access, or meters amonetary equivalent, etc.

The means for communication 106 between the portable module 102 and themicroprocessor based device 104 is preferably via a single wire orcontact connection. The single wire connection 106 preferablyincorporates a communication protocol that allows the portable module102 and the microprocessor based device 104 to communicate in abidirectional manner. Preferably the communication protocol is aone-wire protocol developed by Dallas Semiconductor. It is understoodthat the means for communicating 106 is not limited to a single wireconnection. The communication means 106 could be multiple wires, awireless communication system, infrared light, any electromagneticmeans, a magnetic technique, or any other similar technique.

The microprocessor based device 104 is electrically connected to anothermicroprocessor based device, which is preferably a secure device 108.The term secure device means that the device is designed to contain asecret code and the secret code is extremely difficult to learn. Anexample of a secure device 108 is explained later in this document.

The microprocessor based device 104 can be connected to a variety ofother devices. Such devices include, but are not limited to a cashacceptor 110, an automatic teller machine (ATM) 112, a credit cardreader 114, and a phone line 116.

The cash acceptor 110 is adapted to receive cash in the form ofcurrency, such as dollar bills or coins. The cash acceptor 110,preferably, determines the value of the accepted currency. The cashacceptor 110 communicates to the microprocessor based device 104 andinforms the device 104 of how much currency has been deposited in thecash acceptor 110.

The cash acceptor 110 can also be a device which provides currency. Thatis, the cash accepter 110 in response to a communication from themicroprocessor based device 104, may provide a metered amount ofcurrency to a person.

The credit card reader 114, and ATM 112 can also be attached to themicroprocessor based device 104. The credit card reader 114 could beused to read a user's credit card and then, when authorized, eithercommunicate to the microprocessor based device 104 that units ofexchange need to be added to the portable module or that units ofexchange need to be extracted from the portable module to pay for agood, service or credit card bill.

The ATM 112 may also be connected to the microprocessor based device.Via communications from the ATM 112, the microprocessor based device 104can be informed that units of exchange need to be added or subtractedfrom the portable module 102.

Furthermore, it is also possible that the microprocessor based device104 is connected to a phone line 116. The phone line may be used for avariety of things. Most importantly, the phone line may be used to allowthe microprocessor based device 104 to communicate with a network ofdevices. Such telephonic communication may be for validatingtransactions or for aiding the accounting of transactions that areperformed via the microprocessor based device's 104 aid. It is furtherunderstood that the phone line may be any of a vast variety ofcommunication lines including wireless lines. Video, analog, or digitalinformation may be communicated over the phone line 116.

FIG. 2 depicts a preferred exemplary portable module 102. The portablemodule 102 is preferably a rugged read/write data carrier that can actas a localized data base and be easily accessed with minimal hardware.The module can be incorporated in a vast variety of portable items whichincludes, but is not limited to a durable micro-can package that ishighly resistant to environmental hazards such as dirt, moisture, andshock. The module can be incorporated into any object that can bearticulated by a human or thing, such as a ring, bracelet, wallet, nametag, necklace, baggage, machine, robotic device, etc. Furthermore, themodule 102 could be attached to a stationary item and the microprocessorbased device 104 may be articulated to the portable module 102. Forexample, the module 102 may be attached to a piece of cargo and a modulereader may be touched to or brought near the module 102. The modulereader may be part of the microprocessor based device 104.

The portable module 102 comprises a memory 202 that is preferably, atleast in part, nonvolatile memory for storing and retrieving vitalinformation pertaining to the system to which the module 102 may becomeattached to. The memory 202 may contain a scratchpad memory which mayact as a buffer when writing into memory. Data is first written to thescratchpad where it can be read back. After data has been verified, thedata is transferred into the memory.

The module 102 also comprises a counter 206 for keeping track of thenumber of transactions the module has performed (the number of timescertain data in the memory of the module has been changed). A timer 102may be provided in the module to provide the ability to time stamptransactions performed by the module. A memory controller 204 controlsthe reading and writing of data into and out of the memory 202.

The module also may comprise an identification number 210. Theidentification number preferably uniquely identifies the portable modulefrom any other portable module.

An input/output control circuit 212 controls the data flow into and outof the portable module 102. The input/output control ("I/O") 212preferably has an input buffer and an output buffer and interfacecircuitry 214. As stated above, the interface circuitry 214 ispreferably a one-wire interface. Again, it is understood that a varietyof technologies can be used to interface the portable module 102 toanother electronic device. A single wire or single connection ispreferred because the mechanics of making a complete connection issimplified. It is envisioned that a proximity/wireless communicationtechnique is also a technique for communicating between the module 102and another device. Thus, the interface circuit 214 can be a singlewire, multiple wire, wireless, electromagnetic, magnetic, light, orproximity, interface circuit.

FIG. 3 depicts a block diagram of an exemplary secure microprocessorbased device ("secure device") 108. The secure device circuitry can be asingle integrated circuit. It is understood that the secure device 108could also be a monolithic or multiple circuits combined together. Thesecure device 108 preferably comprises a microprocessor 12, a real timeclock 14, control circuitry 16, a math coprocessor 18, memory circuitry20, input/output circuitry 26, and an energy circuit 34.

The secure device 108 could be made small enough to be incorporated intoa variety of objects including, but not limited to a token, a card, aring, a computer, a wallet, a key fob, a badge, jewelry, a stamp, orpractically any object that can be grasped and/or articulated by a userof the object. In the present system 100, the secure device 108 ispreferably adapted to be a trusted certifying authority. That is thesecure device 108 is a trusted computer. The secure device 108 comprisesa numeric coprocessor 18 optimized for math intensive encryption. TheBIOS is immune to alteration and is specifically designed for securetransactions. This secure device 108 is preferably encased in a durable,dirt, moisture and shock resistant stainless steel enclosure, but couldbe encased in wide variety of structures so long as specific contents ofthe secure device 108 are extremely difficult to decipher. The securedevice 108. The secure device 108 may have the ability to store orcreate a private/public key set, whereby the private key never leavesthe secure device 108 and is not revealed under almost any circumstance.Furthermore, the secure module 108 is preferably designed to preventdiscovery of the private key by an active self-destruction of the keyupon wrongful entry.

The microprocessor 12 is preferably an 8-bit microprocessor, but couldbe 16, 32, 64 or any operable number of bits. The clock 14 providestiming for the module circuitry. There can also be separate clockcircuitry 14 that provides a continuously running real time clock.

The math coprocessor circuitry 18 is designed and used to handle verylarge numbers. In particular, the coprocessor will handle the complexmathematics of RSA encryption and decryption or other types of mathintensive encryption or decryption techniques.

The memory circuitry 20 may contain both read-only-memory andnon-volatile random-access-memory. Furthermore, one of ordinary skill inthe art would understand that volatile memory, EPROM, SRAM and a varietyof other types of memory circuitry might be used to create an equivalentdevice.

Control circuitry 16 provides timing, latching and various necessarycontrol functions for the entire circuit.

An input/output circuit 26 enables bidirectional communication with thesecure module 108. The input/output circuitry 26 preferably comprises atleast an output buffer and an input buffer. For communication via aone-wire bus, one-wire interface circuitry can be included with theinput/output circuitry 26. It is understood that the input/outputcircuitry 26 of the secure device 108 can be designed to operate on asingle wire, a plurality of wires or any means for communicating isinformation between the secure module 108 and the microprocessor baseddevice 104.

An energy circuit 34 may be necessary to maintain stored information inthe memory circuitry 20 and/or aid in powering the other circuitry inthe module 108. The energy circuit 34 could consist of a battery,capacitor, R/C circuit, photo-voltaic cell, or any other equivalentenergy producing circuit or means.

The firmware architecture of the secure module 108 and how it operateswithin the exemplary system for transferring valuable information, suchas units of exchange or currency, between the secure module 108 and aportable module 102 will now be discussed. The secure module 108provides encryption and decryption services for confidential datatransfer through the microprocessor based device 104. The followingexamples are intended to illustrate a preferred feature set of thesecure module 108 and to explain the services that the exemplary system100 can offer. These applications and examples by no means limit thecapabilities of the invention, but instead bring to light a sampling ofits capabilities.

I. Overview of the Preferred Secure Module 108 and its Firmware Design

Referring to FIG. 3 again, the secure module 108 preferably contains ageneral-purpose, 8051-compatible micro controller 12 or a reasonablysimilar product, a continuously running real-time clock 14, a high-speedmodular exponentiation accelerator for large integers (math coprocessor)18, input and output buffers 28, 30 with a one-wire interface 32 forsending and receiving data, 32 Kbytes of ROM memory 22 withpreprogrammed firmware, 8 Kbytes of NVRAM (non-volatile RAM) 24 forstorage of critical data, and control circuitry 16 that enables themicro controller 12 to be powered up to interpret and act on the dataplaced in an input data object. The module 108 draws its operating powerfrom a single wire, one-wire communication line. The micro controller12, clock 14, memory 20, buffers 28, 30, one-wire front-end 32, modularexponentiation accelerator 18, and control circuitry 16 are preferablyintegrated on a single silicon chip and packaged in a stainless steelmicro can using packaging techniques which make it virtually impossibleto probe the data in the NVRAM 24 without destroying the data.Initially, most of the NVRAM 24 is available for use to supportapplications such as those described below. One of ordinary skill willunderstand that there are many comparable variations of the moduledesign. For example, volatile memory might be used, or an interfaceother than a one-wire interface could be used.

The secure module 108 is preferably intended to be used first by aService Provider who loads the secure module 108 with data to enable itto perform useful functions, and second by an End User who issuescommands to the secure module 108 to perform operations on behalf of theService Provider for the benefit of the End User. For this reason, thesecure module 108 offers functions to support the Service Provider insetting up the module for an intended application. It also offersfunctions to allow the End User to invoke the services offered by theService Provider.

Each Service Provider can reserve a block of NVRAM memory to support itsservices by creating a transaction group 40 (refer to FIGS. 6 and 7). Atransaction group 40 is simply a set of software objects 42 that aredefined by the Service Provider. These objects 42 include both dataobjects (encryption keys, transaction counts, money amounts, date/timestamps, etc.) and transaction scripts 44 which specify how to combinethe data objects in useful ways. Each Service Provider creates his owntransaction group 40, which is independent of every other transactiongroup 40. Hence, multiple Service Providers can offer different servicesin the same module 108. The number of independent Service Providers thatcan be supported depends on the number and complexity of the objects 42defined in each transaction group 40. Examples of some of the objects 42that can be defined within a transaction group 40 are the following:

    ______________________________________                                        RSA Modulus         Clock Offset                                              RSA Exponent        Random SALT                                               Transaction Script  Configuration Data                                        Transaction Counter Input Data                                                Money Register      Output Data                                               Destructor                                                                    ______________________________________                                    

Within each transaction group 40 the secure module 108 will initiallyaccept certain commands which have an irreversible effect. Once any ofthese irreversible commands are executed in a transaction group 40, theyremain in effect until the end of the module's useful life or until thetransaction group 40, to which it applies, is deleted from the securemodule 108. In addition, there are certain commands which have anirreversible effect until the end of the module's life or until a mastererase command is issued to erase the entire contents of the securemodule 108. These commands will be discussed further below. Thesecommands are essential to give the Service Provider the necessarycontrol over the operations that can be performed by the End User.Examples of some of the irreversible commands are:

    ______________________________________                                        Privatize Object   Lock Object                                                Lock Transaction Group                                                                           Lock Micro-In-A-Can ™                                   ______________________________________                                    

Since much of the module's utility centers on its ability to keep asecret, the Privatize command is a very important irreversible command.

Once the secure module 108, as a whole, is locked, the remaining NVRAMmemory 24 is allocated for a circular buffer for holding an audit trailof previous transactions. Each of the transactions are identified by thenumber of the transaction group, the number of objects 42 within thespecified group, and the date/time stamp.

The fundamental concept implemented by the firmware is that the ServiceProvider can store transaction scripts 44 in a transaction group 40 toperform only those operations among objects that he wishes the End Userto be able to perform. The Service Provider can also store and privatizeRSA key or keys (encryption keys) that allow the secure module 108 to"sign" transactions on behalf of the Service Provider, therebyguaranteeing their authenticity. By privatizing and/or locking one ormore objects 42 in the transaction group 40, the Service Providermaintains control over what the secure module 108 is allowed to do onhis behalf. The End User cannot add new transaction scripts 44 and istherefore limited to the operations on objects 42 that can be performedwith the transaction scripts 44 programmed by the Service Provider.

II. Usage Models of the Secure Module 108 and Portable Module 102

This section presents practical applications of the system 100. Each ofthese applications is described in enough detail to make it clear whythe secure module 108 and portable module 102 are important to thesystem application.

A. Transferring Units of Exchange Out of a Portable Module 102

This section describes an example of how a portable module 102 and asecure module 108 operate in conjunction with the microprocessor baseddevice 104 so that units of exchange can be securely transferred out ofthe portable module 102 and deposited into the secure module 108 and/orpotentially communicated to at least one of the cash acceptor 110, ATM112, credit card reader 114, or the phone line 116.

Referring to FIG. 4, initially the portable module 102 contains its IDnumber, a count within its transaction counter and an encrypted datapacket stored in memory. Encrypted within the data packet is theportable modules ID number, the portable modules transaction countnumber, and the amount of value (the monetary value) of the portablemodule at the present time X1.

The user of the portable module touches, or somehow puts the portablemodule 102 into communication with the microprocessor based device 104.For explanation purposes, suppose the portable module 102 is being usedas a token used to pay for a train fare. Thus, the microprocessor baseddevice 104 could be, in this case, a turn style that allows the user toenter a train platform. The cost of entering the train platform is knownby the microprocessor based device 104.

The microprocessor based device 104 reads the portable module's serialnumber, transaction count, and the encrypted data packet X2. This datacould be referred to as a first data.

The microprocessor device 104 then provides the first data along with afirst value, being the amount of value to be debited from the portabletoken (the train fare), to the secure module 108 X3. The secure module108 decrypts the encrypted data found in the first data using a publickey X4.

Next, the secure module 108 makes a few comparisons to make sure thatthe data received is good data and not counterfeit. The secure module108 compares the serial number received in the first data with thedecrypted serial number X5. If the two serial numbers match then thesecure module 108 compares the transaction count received in the firstdata with the decrypted transaction count X6. If the two transactioncounts match then the secure module is comfortable that the datareceived is not counterfeit data. It is understood that the comparisonscan be done in any order.

Furthermore, there may have been a time stamp sent from the portablemodule 102. The time stamp may indicate a variety of things. One thingcould be an indication of whether the portable module is still valid orthe time stamp may further enable the secure module to decide if thedata is or is not counterfeit.

Assuming all the data passed to the secure module 108 is determined tobe valid data, the secure module 108 subtracts the first value, thetrain fare, from the monetary value of the portable module 102 X7. Thedecrypted transaction count is then incremented.

A register within the secure module 108 is increased by the amount ofthe first value, the train fare, so that the secure module can keep anaccounting of the amount of "money" it has collected X8. The securemodule 108 creates a data packet, a second data, which comprises atleast the portable module's serial number, the incremented transactioncount, and the reduced monetary value of the portable module 102. Thesecond data packet is then encrypted by the secure module 108 using aprivate key X9.

The microprocessor based device 104 receives the encrypted second datapacket, passes the encrypted second data packet to the portable module102 X10, and opens the turn style to let the module's user onto thetrain platform. The portable module 102 receives the encrypted seconddata packet and stores it in memory X11. The portable module alsoincrements its transaction count indicating that another transaction hasoccurred X12.

Thus, the above description indicates how valuable information can betransferred between a portable insecure module 102 and a secure module108 wherein there is a conservation of value. That is, no value isgained or lost. Value that was in the portable module 102 was decreasedby the same amount value was added to the secure module 108. In theexample provided, the decrease and increase in value was equal to atrain fare. Such an increment or decrement can also be equal to anamount provided by an ATM, credit card transaction, cash acceptor, etc.

It is also understood that the insecure portable is module 102 could beanother secure module similar to the secure module in the system, butprogramed to act like a portable module 102.

B. Transferring Units of Exchange Into the Portable Module 102

In this example, for simplicity, suppose the portable module does nothave any monetary value and the user of the portable module wishes to"fill it up" with value. Suppose the user wishes to take cash out of anATM machine and instead of pocketing the cash, the user wishes to putthe cash value into the portable module 102.

Referring to FIG. 5, the portable module 102 contains its ID number, atransaction count and an encrypted data packet containing the portablemodule's ID number, transaction count and the monetary value of theportable module 102 Y1. The microprocessor based device 104, which inthis example could be part of the ATM machine 112, receives theinformation contained in the portable module 102 when a communication isinitiated between the portable module 102 and the microprocessor baseddevice 104 Y2.

The microprocessor based device 104 passes the module's serial number,transaction count, and encrypted data packet as a first data packet tothe secure module 108. The microprocessor based device also passes theamount of amount of monetary value to add to the portable module 102, asindicated by the ATM 112, to the secure module 108 Y3.

The secure module 108 decrypts the encrypted data passed to it using apublic key Y4. The secure module 108 then makes a few comparisons tomake sure that the data it has just received is valid and notcounterfeit. The secure module 108 compares the serial number (IDnumber) received in the first data packet with the serial number (IDnumber) found in the decrypted data Y5. The secure module 108 alsocompares the transaction count passed the first data packet with thetransaction count found in the decrypted data Y6. If the serial numbersand transaction counters match, then the secure module decides that thedata received is valid and the secure module adds the monetary value,indicated by the ATM to the monetary value of the decrypted data Y7. Thedecrypted transaction count is incremented Y8. A register within thesecure module may be decremented by the same amount that the monetaryvalue of the decrypted data was increased Y8.

The secure module 108 creates a second data packet, that contains theportable module's ID number, the incremented transaction counter and theincreased monetary value. The second data packet is then encrypted usinga private key Y10.

The microprocessor based device 104 reads the encrypted second datapacket and sends it to the portable module 102 Y11. The portable modulereceives the encrypted second data packet and stores it in memory Y12.The portable module also advances its transaction counter Y13. Theresult being that the portable module now has the value of the cashwithdrawn from the ATM 112. Furthermore, a record of the transaction mayhave been recorded and kept in the secure module, as well as by the bankthat operates the ATM 112.

Exemplary Firmware Definitions for Use With the Secure Module

Object The most primitive data structure accepted by and operated on bythe secure modules firmware. A list of valid objects and theirdefinitions is provided in the next section.

Group A self-contained collection of objects. An object's scope isrestricted to the group of which it is a member.

Group ID A number preferably between 0 and 255 representing a specificgroup.

Object ID A number preferably between 0 and 255 representing a specificobject within a specific group.

Object Type Preferably a 1-byte type specifier that describes a specificobject.

PIN An alphanumeric Personal Identification number that is preferablyeight bytes in length.

Common PIN The PIN that controls access to shared resources such as theaudit trail. It is also used to control the host's ability to create anddelete groups.

Group PIN The PIN that controls access to operations specific to objectswithin a group.

Audit Trail A record of transactions occurring after the secure modulehas been locked.

Locked Object An object which has been locked by executing the lockobject command. Once an object is locked it is not directly readable.

Private Object An object which has been privatized by executing theprivatize object command. Once an object is private, it is not directlyreadable or writable.

Locked Group A group which has been locked using the locked groupcommand. After a group has been locked it will not allow objectcreation.

Composite Object A combination of several objects. The individualobjects inherit the attributes of the composite object.

Exemplary Object Definitions

RSA Modulus A large integer preferably of at most 1024 bits in length.It is the product of 2 large prime numbers that are each about half thenumber of bits in length of the desired modulus size. The RSA modulus isused in the following equations for encrypting and decrypting a messageM:

    Encryption: C=M.sup.e (mod N)                              (1)

    Decryption: M=C.sup.d (mod N)                              (2)

where C is the cyphertext, d and e are the RSA exponents (see below),and N is the RSA modulus.

RSA Exponent Both e and d (shown in equations 1 and 2 above) are RSAexponents. They are typically large numbers but are smaller than themodulus (N). RSA exponents can be either private or public. When RSAexponents are created in the secure module, they may be declared aseither. Once created an exponent may be changed from a public exponentto a private exponent. After an exponent has been made private, however,it will remain private until the transaction group 40 to which itbelongs is destroyed.

Transaction Script A transaction script is a series of instructions tobe carried out by the secure module. When invoked the secure modulefirmware interprets the instructions in the script and places theresults in the output data object (see below). The actual script issimply a list of objects. The order in which the objects are listedspecifies the operations to be performed on the objects. transactionscripts 44 preferably may be as long as 128 bytes.

Transaction Counter The transaction counter object is preferably 4 bytesin length and is usually initialized to zero when it is created. Everytime a transaction script, which references this object, is invoked, thetransaction counter increments by 1. Once a transaction counter has beenlocked it is read only and provides an irreversible counter.

Money Register The money register object is preferably 4 bytes in lengthand may be used to represent money or some other form of credit. Oncethis object has been created, it must be locked to prevent a user fromtampering with its value. Once locked the value of this object can bealtered only by invoking a transaction script. A typical transactiongroup 40 which performs monetary transactions might have one script forwithdrawals from the money register and one for deposits to the moneyregister.

Clock Offset This object is preferably a 4 byte number which containsthe difference between the reading of the secure module's real-timeclock and some convenient time (e.g., 12:00 a.m., Jan. 1, 1970). Thetrue time can then be obtained from the secure module by adding thevalue of the clock offset to the real-time clock.

SALT A SALT object is preferably 20 bytes in length and should beinitialized with random data when it is created. When a host transmits agenerate random SALT command, the secure module combines the previousSALT with the secure module's random number (produced preferably byrandomly occurring power-ups) to generate a new random SALT. If the SALTobject has not been privatized it may subsequently be read by issuing aread object command.

Configuration Data This is a user defined structure with preferably amaximum length of 128 bytes. This object is typically used to storeconfiguration information specific to its transaction group 40. Forexample, the configuration data object may be used to specify the formatof the money register object (i.e., the type of currency it represents).Since this object has no pre-defined structure, it may never be used bya transaction object.

Input Data An input data object is simply an input buffer withpreferably a maximum length of 128 bytes. A transaction group may havemultiple input objects. The host uses input data objects to store datato be processed by transaction scripts 44.

Output Data The output data object is used by transaction scripts as anoutput buffer. This object is automatically created when the transactiongroup is created. It is preferably 512 bytes in length and inheritspassword protection from its group.

Random Fill When the script interpreter encounters this type of objectit automatically pads the current message so that its length is 1 bitsmaller than the length of the preceding modulus. A handle to thisobject is automatically created when the transaction group is created.It is a private object and may not be read using the read objectcommand.

Working Register This object is used by the script interpreter asworking space and may be used in a transaction script. A handle to thisobject is automatically created when the transaction group is created.It is a private object and may not be read using the read objectcommand.

ROM Data This object is automatically created when the transaction groupis created. It is a locked object and may not be altered using the writeobject command. This object is 8 bytes and length and its contents areidentical to the 8 by ROM data of the Micro-In-A-Can™.

Preferred Secure Module Firmware Command Set

    ______________________________________                                        Set Common PIN(01H)                                                           ______________________________________                                        Transmit (to secure module)                                                   01H, old PIN, new PIN, PIN option byte                                        Receive data                                                                  CSB (command status byte) = 0 if successful,                                  appropriate error code otherwise                                              Output length = 0                                                             Output Data = 0                                                               ______________________________________                                    

Notes:

The PIN option byte may be the bitwise-or of any of the followingvalues:

    ______________________________________                                        PIN.sub.-- TO.sub.-- ERASE                                                                      00000001b (require PIN for                                                    Master Erase)                                               PIN.sub.-- TO.sub.-- CREATE                                                                     00000010b (require PIN for                                                    group creation).                                            ______________________________________                                    

Initially the secure module has a PIN (Personal Identification Number)of 0 (Null) and an option byte of 0. Once a PIN has been established itcan only be changed by providing the old PIN or by a Master Erase.However, if the PIN₋₋ TO₋₋ ERASE bit is set in the option byte, the PINcan only be changed through the set common PIN command.

Possible error codes for the set common PIN command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- COMMON.sub.-- PIN                                                           (Common PIN match                                                             failed)                                                   ERR.sub.-- BAD.sub.-- PIN.sub.-- LENGTH                                                           (New PIN length                                                               > 8 bytes)                                                ERR.sub.-- BAD.sub.-- OPTION.sub.-- BYTE                                                          (Unrecognizable option                                                        byte)                                                     ______________________________________                                    

For all commands described in this section, data received by the hostwill be in the form of a return packet. A return packet has thefollowing structure:

    ______________________________________                                        Command status byte                                                                             (0 if command successful,                                                     error code otherwise, 1 byte)                               Output data length                                                                              (Command output length, 2                                                     bytes)                                                      Output data       (Command output, length                                                       specified above).                                           ______________________________________                                    

    ______________________________________                                        Master Erase (02H)                                                            ______________________________________                                        Transmit data                                                                 02H, Common PIN                                                               Receive data                                                                  CSB = 0 if command was successful,                                            ERR.sub.-- BAD.sub.-- COMMON.sub.-- PIN otherwise                             Output length = 0                                                             Output data = 0                                                               ______________________________________                                    

Notes:

If the LSB (least significant bit) of the PIN option is clear (i.e. PINnot required for Master Erase) then a 0 is transmitted for the CommonPIN value. In general this text will always assume a PIN is required. Ifno PIN has been established a 0 should be transmitted as the PIN. Thisis true of the common PIN and group PINS (see below). If the PIN wascorrect the firmware deletes all groups (see below) and all objectswithin the groups. The common PIN and common PIN option byte are bothreset to zero.

After everything has been erased the secure module transmits the returnpacket. The CSB is as described above. The output data length and outputdata fields are both set to 0.

    ______________________________________                                        Create Group (03H)                                                            ______________________________________                                        Transmit data                                                                 03H, Common PIN, Group name, Group PIN                                        Receive data                                                                  CSB = 0 if command successful, appropriate                                    error code otherwise                                                          Output length = 1 if successful, 0 otherwise                                  Output data = Group ID if successful, 0                                       otherwise                                                                     ______________________________________                                    

Notes:

The maximum group name length is 16 bytes and the maximum PIN length iseight bytes. If the PIN₋₋ TO₋₋ CREATE bit is set in the common PINoption byte and the PIN transmitted does not match the common PIN thesecure module will set the OSC to ERR₋₋ BAD₋₋ COMMON₋₋ PIN.

Possible error return codes for the create group command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- COMMON.sub.-- PIN                                                          (Incorrect common PIN)                                     ERR.sub.-- BAD.sub.-- NAME.sub.-- LENGTH                                                         (If group name length > 16                                                    bytes)                                                     ERR BAD.sub.-- PIN.sub.-- LENGTH                                                                 (If group PIN length                                                          > 8 bytes)                                                 ERR.sub.-- MIAC.sub.-- LOCKED                                                                    (The secure module has                                                        been locked)                                               ERR.sub.-- INSUFFICIENT.sub.-- RAM                                                               (Not enough memory for                                                        new group)                                                 ______________________________________                                    

    ______________________________________                                        Set Group PIN (04H)                                                           ______________________________________                                        Transmit data                                                                 04H, Group ID, old GPIN, new GPIN                                             Receive data                                                                  CSB = 0 if command successful, appropriate                                    error code otherwise                                                          Output length = 0                                                             Output data = 0                                                               ______________________________________                                    

Notes:

The Group PIN only restricts access to objects within the groupspecified by the group ID transmitted in the command packet.

Possible error codes for the set group PIN command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                            (Group PIN match                                                              failed)                                                   ERR.sub.-- BAD.sub.-- PIN.sub.-- LENGTH                                                           (New group PIN length                                                         > 8 bytes)                                                ______________________________________                                    

    ______________________________________                                        Create Object (05H)                                                           ______________________________________                                        Transmit data                                                                 05H, Group ID, Group PIN, Object type, Object                                 attributes, Object data                                                       Receive data                                                                  CSB = 0 if command successful, appropriate                                    error code otherwise                                                          Output length = 1 if successful, 0 otherwise                                  Output data = object ID if successful, 0                                      otherwise                                                                     ______________________________________                                    

Notes:

If the Create Object command is successful the secure module firmwarereturns the object's ID within the group specified by the Group ID. Ifthe PIN supplied by the host was incorrect or the group has been lockedby the Lock Group command (described below) the secure module returns anerror code in the CSB. An object creation will also fail if the objectis invalid for any reason. For example, if the object being created isan RSA modulus (type 0) and it is greater than 1024 bits in length.transaction script creation will succeed if it obeys all transactionscripts rules.

Possible error return codes for the create object command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                            (Incorrect group PIN)                                     ERR.sub.-- GROUP.sub.-- LOCKED                                                                    (The group has been                                                           locked)                                                   ERR.sub.-- MIAC.sub.-- LOCKED                                                                     (The secure module has                                                        been locked)                                              ERR.sub.-- INVALID.sub.-- TYPE                                                                    (The object type                                                              specified is invalid)                                     ERR.sub.-- BAD.sub.-- SIZE                                                                        (The objects length                                                           was invalid)                                              ERR.sub.-- INSUFFICIENT.sub.-- RAM                                                                (Not enough memory for                                                        new object)                                               Object types: RSA modulus    0                                                              RSA exponent   1                                                              Money register 2                                                              Transaction counter                                                                          3                                                              Transaction script                                                                           4                                                              Clock offset   5                                                              Random SALT    6                                                              Configuration object                                                                         7                                                              Input data object                                                                            8                                                              Output data object                                                                           9                                                Object Attributes:                                                                          Locked         00000001b                                                      Privatized     00000010b                                        ______________________________________                                    

Objects may also be locked and privatized after creation by using theLock Object and Privatize Object commands described below.

    ______________________________________                                        Lock Object (06H)                                                             ______________________________________                                        Transmit data                                                                 06H, Group ID, Group PIN, Object ID                                           Receive data                                                                  CSB = 0 if command successful, appropriate                                    error code otherwise                                                          Output length = 0                                                             Output data = 0                                                               ______________________________________                                    

Notes:

If the Group ID, Group PIN and Object ID are all correct, the securemodule will lock the specified object. Locking an object is anirreversible operation.

Possible error return codes for the lock object command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                            (Incorrect group PIN)                                     ERR.sub.-- GROUP.sub.-- LOCKED                                                                    (The group has already                                                        been locked)                                              ERR.sub.-- MIAC.sub.-- LOCKED                                                                     (The secure module has                                                        been locked)                                              ERR.sub.-- BAD.sub.-- GROUP.sub.-- ID                                                             (Specified group does                                                         not exist)                                                ERR.sub.-- BAD.sub.-- OBJECT.sub.-- ID                                                            (Specified object does                                                        not exist)                                                ______________________________________                                    

    ______________________________________                                        Privatize Object (07H)                                                        ______________________________________                                        Transmit data                                                                 07H, Group ID, Group PIN, Object ID                                           Receive data                                                                  CSB = 0 if successful, appropriate error code                                 otherwise                                                                     ______________________________________                                    

Notes:

If the Group ID, Group PIN and Object ID were valid the object will beprivatized. Privatized objects share all the properties of lockedobjects but are not readable. Privatized objects are only modifiablethrough transaction scripts. Note that locking a privatized object islegal, but has no meaning since object privatization is a strongeroperation than object locking. Privatizing an object is an irreversibleoperation.

Possible error return codes for the privatize object command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                            (Incorrect group PIN)                                     ERR.sub.-- GROUP.sub.-- LOCKED                                                                    (The group has already                                                        been locked)                                              ERR.sub.-- MIAC.sub.-- LOCKED                                                                     (The secure module has                                                        been locked)                                              ERR.sub.-- BAD.sub.-- GROUP.sub.-- ID                                                             (Specified group does                                                         not exist)                                                ERR.sub.-- BAD.sub.-- OBJECT.sub.-- ID                                                            (Specified object does                                                        not exist)                                                ______________________________________                                    

    ______________________________________                                        Make Object Destructable (08H)                                                ______________________________________                                        Transmit data                                                                 08H, Group ID, Group PIN, Object ID                                           Receive data                                                                  CSB = 0 if successful, appropriate error code                                 otherwise                                                                     ______________________________________                                    

Notes:

If the Group ID, Group PIN and Object ID were valid the object will bemade destructable. If an object is destructable it becomes unusable by atransaction script after the groups destructor becomes active. If nodestructor object exists within the transaction group the destructibleobject attribute bit has no affect. Making an object destructable is anirreversible operation.

Possible error return codes for the make object destructable command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                            (Incorrect group PIN)                                     ERR.sub.-- GROUP.sub.-- LOCKED                                                                    (The group has already                                                        been locked)                                              ERR.sub.-- MIAC.sub.-- LOCKED                                                                     (The secure module has                                                        been locked)                                              ERR.sub.-- BAD.sub.-- GROUP.sub.-- ID                                                             (Specified group does                                                         not exist)                                                ERR.sub.-- BAD.sub.-- OBJECT.sub.-- ID                                                            (Specified object does                                                        not exist)                                                ______________________________________                                    

    ______________________________________                                        Lock Secure module (09H)                                                      ______________________________________                                        Transmit data                                                                 09H, Common PIN                                                               Receive data                                                                  CSB = 0 if successful, appropriate error code                                 otherwise                                                                     Output length = 2 if successful, 0 otherwise                                  Output data = audit trail size if successful,                                 0 otherwise                                                                   ______________________________________                                    

Notes:

If the host supplied Common PIN is correct and the secure module has notpreviously been locked, the command will succeed. When the secure moduleis locked it will not accept any new groups or objects. This impliesthat all groups are automatically locked. The RAM not used by the systemor by groups will be used for an audit trail. There is no audit trailuntil the secure module has successfully been locked|

An audit trail record is six bytes long and has the following structure:

    Group ID|Object ID|Date/Time stamp.

Once an audit trail has been established, a record of the form shownabove will be stored in the first available size byte location everytime a transaction script is executed. Note that since the secure modulemust be locked before the audit trail begins, neither the group ID norany object ID is subject to change. This will always allow anapplication processing the audit trail to uniquely identify thetransaction script that was executed. Once the audit trail has consumedall of its available memory, it will store new transaction records overthe oldest transaction records.

Possible error codes for the lock secure module command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- COMMON.sub.-- PIN                                                           (Supplied common PIN                                                          was incorrect)                                            ERR.sub.-- MIAC.sub.-- LOCKED                                                                     (Secure module was                                                            already locked)                                           ______________________________________                                    

    ______________________________________                                        Lock Group (0AH)                                                              ______________________________________                                        Transmit data                                                                 0AH, Group ID, Group PIN                                                      Receive data                                                                  CSB = 0 if command successful, appropriate                                    error code otherwise                                                          Output length = 0                                                             Output data = 0                                                               ______________________________________                                    

Notes:

If the group PIN provided is correct the secure module BIOS will notallow further object creation within the specified group. Since groupsare completely self-contained entities they may be deleted by executingthe Delete Group command (described below).

Possible error return codes for the lock group command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                            (Incorrect group PIN)                                     ERR.sub.-- GROUP.sub.-- LOCKED                                                                    (The group has already                                                        been locked)                                              ERR.sub.-- MIAC.sub.-- LOCKED                                                                     (The secure module has                                                        been locked)                                              ERR.sub.-- BAD.sub.-- GROUP.sub.-- ID                                                             (Specified group does                                                         not exist)                                                ______________________________________                                    

    ______________________________________                                        Invoke Transaction Script (0BH)                                               ______________________________________                                        Transmit data                                                                 0BH, Group ID, Group PIN, Object ID                                           Receive data                                                                  CSB = 0 if command successful, appropriate                                    error code otherwise                                                          Output length = 1 if successful, 0 otherwise                                  Output data = estimated completion time                                       ______________________________________                                    

Notes:

The time estimate returned by the secure module is in sixteenths of asecond. If an error code was returned in the CSB, the time estimate willbe 0.

Possible error return codes for the execution transaction scriptcommand:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                            (Incorrect group PIN)                                     ERR.sub.-- BAD.sub.-- GROUP.sub.-- ID                                                             (Specified group does                                                         not exist)                                                ERR.sub.-- BAD.sub.-- OBJECT.sub.-- ID                                                            (Script object did not                                                        exist in group)                                           ______________________________________                                    

    ______________________________________                                        Read Object (0CH)                                                             ______________________________________                                        Transmit data                                                                 0CH, Group ID, Group PIN, Object ID                                           Receive data                                                                  CSB = 0 if command successful, appropriate                                    error code otherwise                                                          Output length = object length if successful, 0                                otherwise                                                                     Output data = object data if successful, 0                                    otherwise                                                                     ______________________________________                                    

Notes:

If the Group ID, Group PIN and Object ID were correct, the secure modulechecks the attribute byte of the specified object. If the object has notbeen privatized the secure module will transmit the object data to thehost. If the Group PIN was invalid or the object has been privatized thesecure module will return a 0 in the output length, and data fields ofthe return packet.

Possible error codes for the read object command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                            (Incorrect group PIN)                                     ERR.sub.-- BAD.sub.-- GROUP.sub.-- ID                                                             (Specified group does                                                         not exist)                                                ERR.sub.-- BAD.sub.-- OBJECT.sub.-- ID                                                            (Object did not exist                                                         in group)                                                 ERR.sub.-- OBJECT.sub.-- PRIVATIZED                                                               (Object has been                                                              privatized)                                               ______________________________________                                    

    ______________________________________                                        Write Object (0DH)                                                            ______________________________________                                        Transmit data                                                                 0DH, Group ID, Group PIN, Object ID, Object                                   size, Object Data                                                             Receive data                                                                  CSB = 0 if successful, appropriate error code                                 otherwise                                                                     Output length = 0                                                             Output data = 0                                                               ______________________________________                                    

Notes:

If the Group ID, Group PIN and Object ID were correct, the secure modulechecks the attribute byte of the specified object. If the object has notbeen locked or privatized the secure module will clear the objectsprevious size and data and replace it with the new object data. Notethat the object type and attribute byte are not affected.

Possible error codes for the write object command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                             (Incorrect group PIN)                                    ERR.sub.-- BAD.sub.-- GROUP.sub.-- ID                                                              (Specified group does                                                         not exist)                                               ERR.sub.-- BAD.sub.-- OBJECT ID                                                                    (Object did not exist                                                         in group)                                                ERR.sub.-- BAD.sub.-- OBJECT.sub.-- SIZE                                                           (Illegal object size                                                          specified)                                               ERR.sub.-- OBJECT.sub.-- LOCKED                                                                    (Object has been                                                              locked)                                                  ERR.sub.-- OBJECT.sub.-- PRIVATIZED                                                                (Object has been                                                              privatized)                                              ______________________________________                                    

    ______________________________________                                        Read Group Name (0EH)                                                         ______________________________________                                        Transmit data                                                                 0EH, Group ID                                                                 Receive data                                                                  CSB = 0                                                                       Output Length = length of group name                                          Output data = group name                                                      ______________________________________                                    

Notes:

The group name length is a maximum of 16 bytes. All byte values arelegal in a group name.

    ______________________________________                                        Delete Group (0FH)                                                            ______________________________________                                        Transmit data                                                                 0FH, Group ID, Group PIN                                                      Receive data                                                                  CSB = 0 if successful, appropriate error code                                 otherwise                                                                     Output length = 0                                                             Output data = 0                                                               ______________________________________                                    

Notes:

If the group PIN and group ID are correct the secure module will deletethe specified group. Deleting a group causes the automatic destructionof all objects within the group. If the secure module has been lockedthe Delete Group command will fail.

Possible error codes for the delete group command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- CROUP.sub.-- PIN                                                             (Incorrect group PIN)                                    ERR.sub.-- BAD.sub.-- GROUP.sub.-- ID                                                              (Specified group does                                                         not exist)                                               ERR.sub.-- MIAC.sub.-- LOCKED                                                                      (Secure module has                                                            been locked)                                             ______________________________________                                    

    ______________________________________                                        Get Command Status Info (10H)                                                 ______________________________________                                        Transmit data                                                                 10H                                                                           Receive data                                                                  CSB = 0                                                                       Output length = 6                                                             Output data = secure module status structure                                  (see below)                                                                   ______________________________________                                    

Notes:

This operation requires no PIN and never fails. The status structure isdefined as follows:

    ______________________________________                                        Last command executed  (1 byte)                                               Last command status    (1 byte)                                               Time command received  (4 bytes)                                              ______________________________________                                    

    ______________________________________                                        Get Secure module Configuration Info (11H)                                    ______________________________________                                        Transmit data                                                                 11H                                                                           Receive data                                                                  CSB = 0                                                                       Output length = 4                                                             Output data = secure module configuration                                     structure                                                                     ______________________________________                                    

Notes:

This operation requires no PIN and never fails. The configurationstructure is defined as follows:

    ______________________________________                                        Number of groups       (1 byte)                                               Flag byte (see below)  (1 byte)                                               Audit trail size/Free RAM                                                                            (2 bytes)                                              ______________________________________                                    

The flag byte is the bitwise-or of any of the following values:

    ______________________________________                                        00000001b (Secure module is locked)                                           00000010b (Common PIN required for access)                                    ______________________________________                                    

    ______________________________________                                        Read Audit Trail Info (12H)                                                   ______________________________________                                        Transmit data                                                                 12H, Common PIN                                                               Receive data                                                                  CSB = 0 if command successful, appropriate                                    error code otherwise                                                          Output length = audit trail structure size (5)                                if successful, 0 otherwise                                                    Output data = audit trail info structure if                                   successful, 0 otherwise                                                       ______________________________________                                    

Notes:

If the transmitted Common PIN is valid and the secure module has beenlocked, it returns audit trail configuration information as follows:

    ______________________________________                                        Number of used transaction records                                                                    (2 bytes)                                             Number of free transaction records                                                                    (2 bytes)                                             A boolean specifying whether or                                                                       (1 byte)                                              not the audit trail rolled                                                    since previous read command                                                   ______________________________________                                    

Possible error codes for the read audit trail info command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- COMMON.sub.-- PIN                                                            (Common PIN was                                                               incorrect)                                               ERR.sub.-- MIAC.sub.-- NOT.sub.-- LOCKED                                                           (Secure module is not                                                         locked)                                                  ______________________________________                                    

    ______________________________________                                        Read Audit Trail (13H)                                                        ______________________________________                                        Transmit data                                                                 13H, Common PIN                                                               Receive data                                                                  CSB = 0 if command successful, appropriate                                    error code otherwise                                                          Output length = # of new records * 6 if                                       successful, 0 otherwise                                                       Output data = new audit trail records                                         ______________________________________                                    

Notes:

If the transmitted common PIN is valid and the secure module has beenlocked, it will transfer all new transaction records to the host.

Possible error codes for the read audit trail command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- COMMON.sub.-- PIN                                                          (Common PIN was                                                               incorrect).                                                ERR.sub.-- MIAC.sub.-- NOT.sub.-- LOCKED                                                         secure module is not locked                                ______________________________________                                    

    ______________________________________                                        Read Group Audit Trail (14H)                                                  ______________________________________                                        Transmit data                                                                 14H, Group ID, Group PIN                                                      Receive data                                                                  CSB = 0 if command successful, appropriate                                    error code otherwise                                                          Output length = # or records for group * 6 if                                 successful, 0 otherwise                                                       Output data = audit trail records for group                                   ______________________________________                                    

Notes:

This command is identical to the read audit trail command, except thatonly records involving the group ID specified in the transmit data arereturned to the host. This allows transaction groups to record tracktheir own activities without seeing other groups records.

Possible error codes for the read group audit trail command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- ID                                                              (Group ID does not                                                            exist)                                                   ERR.sub.-- PAD.sub.-- GROUP.sub.-- PIN                                                             (Common PIN was                                                               incorrect)                                               ERR MIAC.sub.-- NOT.sub.-- LOCKED                                                                  (The secure module is                                                         not locked)                                              ______________________________________                                    

    ______________________________________                                        Read Real Time Clock (15H)                                                    ______________________________________                                        Transmit data                                                                 15H, Common PIN                                                               Receive data                                                                  CSB = 0 if the common PIN matches and                                         ERR.sub.-- BAD.sub.-- COMMON.sub.-- PIN otherwise                             Output length = 4                                                             Output data = 4 most significant bytes of the                                 real time clock                                                               ______________________________________                                    

Notes:

This value is not adjusted with a clock offset. This command is normallyused by a service provider to compute a clock offset during transactiongroup creation.

    ______________________________________                                        Read Real Time Clock Adjusted (16H)                                           ______________________________________                                        Transmit data                                                                 16H, Group ID, Group PIN, ID of offset object                                 Receive data                                                                  CSB = 0 if successful, appropriate error code                                 otherwise                                                                     Output length = 4 if successful, 0 otherwise                                  Output data = Real time clock + clock offset ID                               ______________________________________                                    

Notes:

This command succeeds if the group ID and group PIN are valid, and theobject ID is the ID of a clock offset. The secure module adds the clockoffset to the current value of the 4 most significant bytes of the RTCand returns that value in the output data field. Note that a transactionscript may be written to perform the same task and put the result in theoutput data object.

Possible error codes for the real time clock adjusted command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                            (Incorrect group PIN)                                     ERR.sub.-- BAD.sub.-- GROUP.sub.-- ID                                                             (Specified group does                                                         not exist)                                                ERR.sub.-- BAD OBJECT.sub.-- TYPE                                                                 (Object ID is not a                                                           clock offset)                                             ______________________________________                                    

    ______________________________________                                        Get Random Data (17H)                                                         ______________________________________                                        Transmit data                                                                 17H, Length (L)                                                               Receive data                                                                  CSB = 0 if successful, appropriate error code                                 otherwise                                                                     Output length = L if successful, 0 otherwise                                  Output data = L bytes of random data if                                       successful                                                                    ______________________________________                                    

Notes:

This command provides a good source of cryptographically useful randomnumbers.

Possible error codes for the get random data command are:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- SIZE                                                                      (Requested number of bytes                                                    > 128)                                                      ______________________________________                                    

    ______________________________________                                        Get Firmware Version ID (18H)                                                 ______________________________________                                        Transmit data                                                                 18H                                                                           Receive data                                                                  CSB = 0                                                                       Output length = Length of firmware version ID                                 string                                                                        Output data = Firmware version ID string                                      ______________________________________                                    

Notes:

This command returns the firmware version ID as a Pascal type string(length+data).

    ______________________________________                                        Get Free RAM (19H)                                                            ______________________________________                                        Transmit data                                                                 19H                                                                           Receive data                                                                  CSB = 0                                                                       Output length = 2                                                             Output data = 2 byte value containing the                                     amount of free RAM                                                            ______________________________________                                    

Notes:

If the secure module has been locked the output data bytes will both be0 indicating that all memory not used by transaction groups has beenreserved for the audit trail.

    ______________________________________                                        Change Group Name (1AH)                                                       ______________________________________                                        Transmit data                                                                 1AH, Group ID, Group PIN, New Group name                                      Receive data                                                                  CSB = 0 if successful or an appropriate error                                 code otherwise                                                                Output 1ength = 0                                                             Output data = 0                                                               ______________________________________                                    

Notes:

If the group ID specified exists in the secure module and the PINsupplied is correct, the transaction group name is replaced by the newgroup name supplied by the host. If a group ID of 0 is supplied the PINtransmitted must be the common PIN. If it is correct, the secure modulename is replaced by the new name supplied by the host.

Possible error codes for the change group name command:

    ______________________________________                                        ERR.sub.-- BAD.sub.-- GROUP.sub.-- PIN                                                           (Incorrect group PIN)                                      ERR.sub.-- BAD.sub.-- GRQUP.sub.-- ID                                                            (Specified group does                                                         not exist)                                                 ERR.sub.-- BAD NAME.sub.-- LENGTH                                                                (New group name > 16 bytes)                                ______________________________________                                    

ERROR CODE DEFINITIONS ERR₋₋ BAD₋₋ COMMAND (80H)

This error code occurs when the secure module firmware does notrecognize the command just transmitted by the host.

ERR₋₋ BAD₋₋ COMMON₋₋ PIN (81H)

This error code will be returned when a command requires a common PINand the PIN supplied does not match the secure module's common PIN.Initially the common PIN is set to 0.

ERR₋₋ BAD₋₋ GROUP₋₋ PIN (82H)

Transaction groups may have their own PIN, FIG. 6. If this PIN has beenset (by a set group PIN command) it must be supplied to access any ofthe objects within the group. If the Group PIN supplied does not matchthe actual group PIN, the secure module will return the ERR₋₋ BAD₋₋GROUP₋₋ PIN error code.

ERR₋₋ BAD₋₋ PIN₋₋ LENGTH (83H)

There are 2 commands which can change PIN values. The set group PIN andthe set common PIN commands. Both of these require the new PIN as wellas the old PIN. The ERR₋₋ BAD₋₋ PIN₋₋ LENGTH error code will be returnedif the old PIN supplied was correct, but the new PIN was greater than 8characters in length.

ERR₋₋ BAD₋₋ OPTION₋₋ BYTE (84H)

The option byte only applies to the common PIN. When the set common PINcommand is executed the last byte the host supplies is the option byte(described in command section). If this byte is unrecognizable to thesecure module, it will return the ERR₋₋ BAD₋₋ OPTION₋₋ BYTE error code.

ERR₋₋ BAD₋₋ NAME₋₋ LENGTH (85H)

When the create transaction group command is executed, one of the datastructures supplied by the host is the group's name. The group name maynot exceed 16 characters in length. If the name supplied is longer than16 characters, the ERR₋₋ BAD₋₋ NAME₋₋ LENGTH error code is returned.

ERR₋₋ INSUFFICIENT₋₋ RAM (86H)

The create transaction group and create object commands return thiserror code when there is not enough heap available in the secure module.

ERR₋₋ MIAC₋₋ LOCKED (87H)

When the secure module has been locked, no groups or objects can becreated or destroyed. Any attempts to create or delete objects willgenerate an ERR₋₋ MIAC₋₋ LOCKED error code.

ERR₋₋ MIAC₋₋ NOT₋₋ LOCKED (88H)

If the secure module has not been locked there is no audit trail. If oneof the audit trail commands is executed this error code will bereturned.

ERR₋₋ GROUP₋₋ LOCKED (89H)

Once a transaction group has been locked object creation within thatgroup is not possible. Also the objects attributes and types are frozen.Any attempt to create objects or modify their attribute or type byteswill generate an ERR₋₋ GROUP₋₋ LOCKED error code.

ERR₋₋ BAD₋₋ OBJECT₋₋ TYPE (8AH)

When the host sends a create object command to the secure module, one ofthe parameters it supplies is an object type (see command section). Ifthe object type is not recognized by the firmware it will return anERR₋₋ BAD₋₋ OBJECT₋₋ TYPE error code.

ERR₋₋ BAD₋₋ OBJECT₋₋ ATTR (8BH)

When the host sends a create object command to the secure module, one ofthe parameters it supplies is an object attribute byte (see commandsection). If the object attribute byte is not recognized by the firmwareit will return an ERR₋₋ BAD₋₋ OBJECT₋₋ ATTR error code.

ERR₋₋ BAD₋₋ SIZE (8CH)

An ERR₋₋ BAD₋₋ SIZE error code is normally generated when creating orwriting an object. It will only occur when the object data supplied bythe host has an invalid length.

ERR₋₋ BAD₋₋ GROUP₋₋ ID (8DH)

All commands that operate at the transaction group level require thegroup ID to be supplied in the command packet. If the group ID specifieddoes not exist in the secure module it will generate an ERR₋₋ BAD₋₋GROUP₋₋ ID error code.

ERR₋₋ BAD₋₋ OBJECT₋₋ ID (8EH)

All commands that operate at the object level require the object ID tobe supplied in the command packet. If the object ID specified does notexist within the specific transaction group (also specified in thecommand packet) the secure module will generate an ERR₋₋ BAD₋₋ OBJECT₋₋ID error code.

ERR₋₋ INSUFFICIENT₋₋ FUNDS (8FH)

If a script object that executes financial transactions is invoked andthe value of the money register is less than the withdrawal amountrequested an ERR₋₋ INSUFFICIENT₋₋ FUNDS error code will be returned.

ERR₋₋ OBJECT₋₋ LOCKED (90H)

Locked objects are read only. If a write object command is attempted andit specifies the object ID of a locked object the secure module willreturn an ERR₋₋ OBJECT₋₋ LOCKED error code.

ERR₋₋ OBJECT₋₋ PRIVATE (91H)

Private objects are not directly readable or writable. If a read objectcommand or a write object command is attempted, and it specifies theobject ID of a private object, the secure module will return an ERR₋₋OBJECT₋₋ PRIVATE error code.

ERR₋₋ OBJECT₋₋ DESTRUCTED (92H)

If an object is destructible and the transaction group's destructor isactive the object may not be used by a script. If a script is invokedwhich uses an object which has been destructed, an ERR₋₋ OBJECT₋₋DESTRUCTED error code will be returned by the secure module.

The exemplary embodiment of the present invention is preferably placedwithin a durable stainless steel, token-like can. It is understood thatan exemplary secure module can be placed in virtually any articulatableitem. Examples of articulatable items include credit cards, rings,watches, wallets, purses, necklaces, jewelry, ID badges, pens,clipboards, etc.

The secure module 108 preferably is a single chip "trusted computer". Bythe word "trusted" it is meant that the computer is extremely securefrom tampering by unwarranted means. The secure module incorporates anumeric coprocessor optimized for math intensive encryption. The BIOS ispreferably immune to alteration and specifically designed for verysecure transactions.

Each secure module can have a random "seed" generator with the abilityto create a private/public key set. The private key never leaves thesecure module and is only known by the secure module. Furthermore,discovery of the private key is prevented by active self-destructionupon wrongful entry into the secure module. The secure module can bebound to the user by a personal identification number (PIN).

When transactions are performed by the secure module 108 certificates ofauthentication are created by either or both the secure module and asystem the secure module communicates with. The certificate can containa variety of information. In particular, the certificate may contain:

1) who is the secure module user via a unique registration number and acertified public key.

2) when the transaction took place via a true-time stamping of thetransaction.

3) where the transaction took place via a registered secure moduleinterface site identification.

4) security information via uniquely serialized transactions and digitalsign on message digests.

5) secure module status indicated as valid, lost, or expired.

Although a preferred embodiment of the method and apparatus of thepresent invention has been illustrated in the accompanying Drawings anddescribed in the foregoing Detailed Description, it will be understoodthat the invention is not limited to the embodiment disclosed, but iscapable of numerous rearrangements, modifications and substitutionswithout departing from the spirit of the invention as set forth anddefined by the following claims.

What is claimed is:
 1. A method for electronically transferring units of exchange between a first module and a second module, comprising the steps of:a. initiating communication between said first module and an electronic device; b. passing a first value datum from said first module to said electronic device; c. passing said first value datum from said electronic device to said second module; d. performing a mathematical calculation on said first value datum thereby creating a second value datum; e. passing said second value datum from said second module to said electronic device; f. passing said second value datum from said electronic device to said first module; g. storing said second value datum in said first module; and h. discontinuing communication between said first module and said electronic device.
 2. The method of claim 1, wherein said first value datum represents a monetary equivalent.
 3. The method of claim 1, wherein said first value datum is encrypted.
 4. The method of claim 1, wherein said second value datum is encrypted.
 5. The method of claim 3, wherein the step of performing a mathematical calculation comprises the steps of:m. decrypting said first value datum with a public key thereby creating a decrypted value; n. performing at least one of an addition function and a subtraction function on said decrypted value thereby creating a value result; and o. encrypting said value result with a private key thereby creating said second value datum.
 6. The method of claim 1, wherein the step (b) of passing is performed over at least a single conductive contact. 